-
Notifications
You must be signed in to change notification settings - Fork 6
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
5 changed files
with
129 additions
and
21 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,9 @@ | ||
| #version=1.0 | ||
| #url=https://github.com/2Tiny2Scale/tailscale-docker-sidecar-configs | ||
| #COMPOSE_PROJECT_NAME= // only use in multiple deployments on the same infra | ||
| #Find Specific Variables in documentation https://stonith404.github.io/pocket-id/configuration/environment-variables | ||
| SERVICE=pocket-id | ||
| IMAGE_URL=stonith404/pocket-id | ||
| SERVICEPORT=80 | ||
| TS_AUTHKEY= | ||
| DNS_SERVER=1.1.1.1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,19 @@ | ||
| # Pocket ID with Tailscale Sidecar Configuration | ||
|
|
||
| This Docker Compose configuration sets up [Pocket ID](https://github.com/stonith404/pocket-id) with Tailscale as a sidecar container to securely manage and access your decentralized identity service over a private Tailscale network. By integrating Tailscale, you can ensure that your Pocket ID instance remains private and accessible only to authorized devices within your Tailscale network. | ||
|
|
||
| ## Pocket ID | ||
|
|
||
| [Pocket ID](https://github.com/stonith404/pocket-id) is an open-source, self-hosted decentralized identity (DID) solution that simplifies user authentication and identity management. It leverages the power of blockchain principles and modern cryptographic techniques to provide a secure, privacy-first approach to identity verification. With Pocket ID, you can authenticate users, manage permissions, and securely issue verifiable credentials, all while maintaining complete control over your identity system. | ||
|
|
||
| ## Key Features | ||
|
|
||
| - **Decentralized Identity**: Built on W3C’s DID standards, enabling privacy-first, self-sovereign identity management. | ||
| - **Verifiable Credentials**: Issue, share, and verify credentials without relying on centralized authorities. | ||
| - **Interoperability**: Compatible with a wide range of DID methods and cryptographic algorithms. | ||
| - **Self-Hosted**: Maintain full control over your identity solution by hosting it locally. | ||
| - **Secure Integration**: Pair with Tailscale for enhanced security, limiting access to your identity services to authorized devices. | ||
|
|
||
| ## Configuration Overview | ||
|
|
||
| In this setup, the `tailscale-pocket-id` service runs Tailscale, which manages secure networking for the Pocket ID service. The `pocket-id` service uses the Tailscale network stack via Docker's `network_mode: service:` configuration. This ensures that Pocket ID’s web interface and APIs are only accessible through the Tailscale network (or locally, if preferred), providing an extra layer of security and privacy for your identity management system. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,16 @@ | ||
| { | ||
| "TCP": { | ||
| "443": { | ||
| "HTTPS": true | ||
| } | ||
| }, | ||
| "Web": { | ||
| "${TS_CERT_DOMAIN}:443": { | ||
| "Handlers": { | ||
| "/": { | ||
| "Proxy": "http://127.0.0.1:80" | ||
| } | ||
| } | ||
| } | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,61 @@ | ||
| services: | ||
| # Make sure you have updated/checked the .env file with the correct variables. | ||
| # All the ${ xx } need to be defined there. | ||
| # Tailscale Sidecar Configuration | ||
| tailscale: | ||
| image: tailscale/tailscale:latest # Image to be used | ||
| container_name: tailscale-${SERVICE} # Name for local container management | ||
| hostname: ${SERVICE} # Name used within your Tailscale environment | ||
| environment: | ||
| - TS_AUTHKEY=${TS_AUTHKEY} | ||
| - TS_STATE_DIR=/var/lib/tailscale | ||
| - TS_SERVE_CONFIG=/config/serve.json # Tailsacale Serve configuration to expose the web interface on your local Tailnet - remove this line if not required | ||
| - TS_USERSPACE=false | ||
| - TS_ENABLE_HEALTH_CHECK=true # Enable healthcheck endpoint: "/healthz" | ||
| - TS_LOCAL_ADDR_PORT=127.0.0.1:41234 # The <addr>:<port> for the healthz endpoint | ||
| #- TS_EXTRA_ARGS=--accept-dns=true # Uncomment when using MagicDNS | ||
| volumes: | ||
| - ${PWD}/config:/config # Config folder used to store Tailscale files - you may need to change the path | ||
| - ${PWD}/ts/state:/var/lib/tailscale # Tailscale requirement - you may need to change the path | ||
| devices: | ||
| - /dev/net/tun:/dev/net/tun # Network configuration for Tailscale to work | ||
| cap_add: | ||
| - net_admin # Tailscale requirement | ||
| - sys_module # Tailscale requirement | ||
| #ports: | ||
| # - 0.0.0.0:${SERVICEPORT}:${SERVICEPORT} # Binding port ${SERVICE}PORT to the local network - may be removed if only exposure to your Tailnet is required | ||
| # If any DNS issues arise, use your preferred DNS provider by uncommenting the config below | ||
| #dns: | ||
| # - ${DNS_SERVER} | ||
| healthcheck: | ||
| test: ["CMD", "wget", "--spider", "-q", "http://127.0.0.1:41234/healthz"] # Check Tailscale has a Tailnet IP and is operational | ||
| interval: 1m # How often to perform the check | ||
| timeout: 10s # Time to wait for the check to succeed | ||
| retries: 3 # Number of retries before marking as unhealthy | ||
| start_period: 10s # Time to wait before starting health checks | ||
| restart: always | ||
|
|
||
| # ${SERVICE} | ||
| application: | ||
| image: ${IMAGE_URL} # Image to be used | ||
| network_mode: service:tailscale # Sidecar configuration to route ${SERVICE} through Tailscale | ||
| container_name: app-${SERVICE} # Name for local container management | ||
| environment: | ||
| - PUID=1000 | ||
| - PGID=1000 | ||
| - TZ=Europe/Amsterdam | ||
| #- PUBLIC_APP_URL=https://pocket-id.<your-ts-domain>.ts.net | ||
| #- TRUST_PROXY=yes | ||
| #- MAXMIND_LICENSE_KEY= | ||
| volumes: | ||
| - ${PWD}/${SERVICE}-data:/app/backend/data | ||
| depends_on: | ||
| tailscale: | ||
| condition: service_healthy | ||
| healthcheck: | ||
| test: ["curl -f http://localhost/health"] # Check if process is running | ||
| interval: 1m # How often to perform the check | ||
| timeout: 10s # Time to wait for the check to succeed | ||
| retries: 3 # Number of retries before marking as unhealthy | ||
| start_period: 30s # Time to wait before starting health checks | ||
| restart: always |